How to export alert information in Cortex XDR/XSIAM

How to export alert information in Cortex XDR/XSIAM

1125
Created On 04/29/24 12:20 PM - Last Modified 09/26/25 13:42 PM


Objective


  • This article explains how to export alert information from the Incidents and Alerts pages and via XQL queries.

Environment


  • Cortex XDR
  • Cortex XSIAM

Procedure


Export alerts from the Incidents page:

  1. In Cortex Console -> Incidents Response -> Incidents, click the grip-lines icon to switch to the detailed view and select the incident related to the alerts you want to export.
  2. On the Incident card, select the "Alerts & Insights" tab and click "Alerts" if not already selected.
  3. Click the "Export to File" button to download the alerts.


Export alerts from the Alerts page:

  1. In Cortex Console -> Incidents Response -> Incidents, click the "Alert Table" button at the top right area of the screen.
  2. In the "Alerts" page, customize the filter to display the desired alerts for export.
  3. Click the "Export to File" button to download the alerts.

 

Export alert data using XQL query:

  1. In Cortex Console -> Incidents Response -> Investigation -> Query Builder, click the "XQL Search" button.
  2. Use this XQL query to fetch all alerts for a specific incident:
dataset = alerts 
| filter incident_id = XXXXX
  • Notes:
  • XXXXX is the unique number in the incident ID.
  • If desired, add more filters to the XQL query to fine-tune your results.
  1. After fetching the alerts, click the "Export to File" button to download them.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrPxCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail